prefix-dev
diff --git a/‎crates/pixi_build_backend/tests/integration/common/model.rs‎
Lines changed: 1 addition & 0 deletions b/‎crates/pixi_build_backend/tests/integration/common/model.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎crates/pixi_build_cmake/src/main.rs‎
Lines changed: 9 additions & 7 deletions b/‎crates/pixi_build_cmake/src/main.rs‎
Lines changed: 9 additions & 7 deletions
diff --git a/‎crates/pixi_build_mojo/src/main.rs‎
Lines changed: 9 additions & 7 deletions b/‎crates/pixi_build_mojo/src/main.rs‎
Lines changed: 9 additions & 7 deletions
diff --git a/‎crates/pixi_build_python/src/main.rs‎
Lines changed: 9 additions & 7 deletions b/‎crates/pixi_build_python/src/main.rs‎
Lines changed: 9 additions & 7 deletions
diff --git a/‎crates/pixi_build_r/src/main.rs‎
Lines changed: 9 additions & 7 deletions b/‎crates/pixi_build_r/src/main.rs‎
Lines changed: 9 additions & 7 deletions
diff --git a/‎crates/pixi_build_ros/src/main.rs‎
Lines changed: 3 additions & 2 deletions b/‎crates/pixi_build_ros/src/main.rs‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎crates/pixi_build_rust/src/main.rs‎
Lines changed: 5 additions & 2 deletions b/‎crates/pixi_build_rust/src/main.rs‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎crates/pixi_build_type_conversions/src/project_model.rs‎
Lines changed: 1 addition & 0 deletions b/‎crates/pixi_build_type_conversions/src/project_model.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎crates/pixi_build_types/src/project_model.rs‎
Lines changed: 12 additions & 0 deletions b/‎crates/pixi_build_types/src/project_model.rs‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎crates/pixi_manifest/src/build_system.rs‎
Lines changed: 7 additions & 0 deletions b/‎crates/pixi_manifest/src/build_system.rs‎
Lines changed: 7 additions & 0 deletions
@@ -134,6 +134,7 @@ pub(crate) fn convert_test_model_to_project_model_v1(test_model: TestProjectMode
         targets: Some(targets_v1),
         build_number: None,
         build_string_prefix: None,
+        secrets: std::collections::BTreeSet::new(),
     }
 }
 
 
@@ -141,13 +141,15 @@ impl GenerateRecipe for CMakeGenerator {
         }
         .render();
 
-        generated_recipe.recipe.build.script = Script::from_content(build_script).with_env(
-            config
-                .env
-                .iter()
-                .map(|(k, v)| (k.clone(), Value::new_concrete(v.clone(), None)))
-                .collect(),
-        );
+        generated_recipe.recipe.build.script = Script::from_content(build_script)
+            .with_env(
+                config
+                    .env
+                    .iter()
+                    .map(|(k, v)| (k.clone(), Value::new_concrete(v.clone(), None)))
+                    .collect(),
+            )
+            .with_secrets(model.secrets.iter().cloned().collect());
 
         Ok(generated_recipe)
     }
 
@@ -101,13 +101,15 @@ impl GenerateRecipe for MojoGenerator {
 
         let build_script = BuildScriptContext { bins, pkg }.render();
 
-        generated_recipe.recipe.build.script = Script::from_content(build_script).with_env(
-            config
-                .env
-                .iter()
-                .map(|(k, v)| (k.clone(), Value::new_concrete(v.clone(), None)))
-                .collect(),
-        );
+        generated_recipe.recipe.build.script = Script::from_content(build_script)
+            .with_env(
+                config
+                    .env
+                    .iter()
+                    .map(|(k, v)| (k.clone(), Value::new_concrete(v.clone(), None)))
+                    .collect(),
+            )
+            .with_secrets(model.secrets.iter().cloned().collect());
 
         generated_recipe.build_input_globs = Self::globs().collect::<BTreeSet<_>>();
 
 
@@ -376,13 +376,15 @@ impl GenerateRecipe for PythonGenerator {
         generated_recipe.recipe.build.python = python;
         generated_recipe.recipe.build.noarch = noarch_kind;
 
-        generated_recipe.recipe.build.script = Script::from_content(build_script).with_env(
-            config
-                .env
-                .iter()
-                .map(|(k, v)| (k.clone(), Value::new_concrete(v.clone(), None)))
-                .collect(),
-        );
+        generated_recipe.recipe.build.script = Script::from_content(build_script)
+            .with_env(
+                config
+                    .env
+                    .iter()
+                    .map(|(k, v)| (k.clone(), Value::new_concrete(v.clone(), None)))
+                    .collect(),
+            )
+            .with_secrets(model.secrets.iter().cloned().collect());
 
         // Add the metadata input globs from the MetadataProvider
         generated_recipe
 
@@ -201,13 +201,15 @@ impl GenerateRecipe for RGenerator {
         }
         .render();
 
-        generated_recipe.recipe.build.script = Script::from_content(build_script).with_env(
-            config
-                .env
-                .iter()
-                .map(|(k, v)| (k.clone(), Value::new_concrete(v.clone(), None)))
-                .collect(),
-        );
+        generated_recipe.recipe.build.script = Script::from_content(build_script)
+            .with_env(
+                config
+                    .env
+                    .iter()
+                    .map(|(k, v)| (k.clone(), Value::new_concrete(v.clone(), None)))
+                    .collect(),
+            )
+            .with_secrets(model.secrets.iter().cloned().collect());
 
         // Add metadata input globs
         generated_recipe
 
@@ -216,8 +216,9 @@ impl GenerateRecipe for RosGenerator {
             }
         }
 
-        generated_recipe.recipe.build.script =
-            Script::from_content(build_script_content).with_env(script_env);
+        generated_recipe.recipe.build.script = Script::from_content(build_script_content)
+            .with_env(script_env)
+            .with_secrets(model.secrets.iter().cloned().collect());
 
         Ok(generated_recipe)
     }
 
@@ -124,7 +124,7 @@ impl GenerateRecipe for RustGenerator {
             .chain(system_env_vars.clone())
             .collect();
 
-        let mut sccache_secrets = Vec::default();
+        let mut sccache_secrets: BTreeSet<String> = BTreeSet::new();
 
         // Verify if user has set any sccache environment variables
         if sccache_envs(&all_env_vars).is_some() {
@@ -185,14 +185,17 @@ impl GenerateRecipe for RustGenerator {
         }
         .render();
 
+        sccache_secrets.extend(model.secrets.iter().cloned());
+        let secrets = sccache_secrets.into_iter().collect();
+
         generated_recipe.recipe.build.script = Script::from_content(build_script)
             .with_env(
                 config_env
                     .iter()
                     .map(|(k, v)| (k.clone(), Value::new_concrete(v.clone(), None)))
                     .collect(),
             )
-            .with_secrets(sccache_secrets);
+            .with_secrets(secrets);
 
         // Add the input globs from the Cargo metadata provider
         generated_recipe
 
@@ -226,6 +226,7 @@ pub fn to_project_model_v1(
         repository: manifest.package.repository.clone(),
         documentation: manifest.package.documentation.clone(),
         targets: Some(to_targets_v1(&manifest.targets, channel_config)?),
+        secrets: manifest.build.secrets.clone(),
     };
     Ok(project)
 }
 
@@ -65,6 +65,14 @@ pub struct ProjectModel {
     /// The target of the project, this may contain
     /// platform specific configurations.
     pub targets: Option<Targets>,
+
+    /// Names of environment variables that should be exposed as secrets to
+    /// the build script. Backends forward these into the generated
+    /// `build.script.secrets` so rattler-build performs the host-env
+    /// passthrough at build time. Stored as a set: order is not observable
+    /// and changing it should not invalidate caches.
+    #[serde(default, skip_serializing_if = "std::collections::BTreeSet::is_empty")]
+    pub secrets: std::collections::BTreeSet<String>,
 }
 
 impl IsDefault for ProjectModel {
@@ -550,6 +558,7 @@ impl Hash for ProjectModel {
             repository,
             documentation,
             targets,
+            secrets,
         } = self;
 
         StableHashBuilder::<H>::new()
@@ -564,6 +573,7 @@ impl Hash for ProjectModel {
             .field("name", name)
             .field("readme", readme)
             .field("repository", repository)
+            .field("secrets", secrets)
             .field("targets", targets)
             .field("version", version)
             .finish(state);
@@ -871,6 +881,7 @@ mod tests {
             repository: None,
             documentation: None,
             targets: None,
+            secrets: std::collections::BTreeSet::new(),
         };
 
         let hash1 = calculate_hash(&project_model);
@@ -930,6 +941,7 @@ mod tests {
             repository: None,
             documentation: None,
             targets: None,
+            secrets: std::collections::BTreeSet::new(),
         };
 
         let hash1 = calculate_hash(&project_model);
 
@@ -38,6 +38,12 @@ pub struct PackageBuild {
 
     /// The build number configured by the user.
     pub build_number: Option<u64>,
+
+    /// Names of environment variables to expose as secrets to the build
+    /// script. Values are looked up at build time from the host environment by
+    /// the build backend; only the names live in the manifest. Stored as a
+    /// set since order is not observable.
+    pub secrets: std::collections::BTreeSet<String>,
 }
 
 impl PackageBuild {
@@ -52,6 +58,7 @@ impl PackageBuild {
             target_config: None,
             build_string_prefix: None,
             build_number: None,
+            secrets: std::collections::BTreeSet::new(),
         }
     }
 }
Original file line number	Diff line number	Diff line change
`@@ -134,6 +134,7 @@ pub(crate) fn convert_test_model_to_project_model_v1(test_model: TestProjectMode`
`134`	`134`	`targets: Some(targets_v1),`
`135`	`135`	`build_number: None,`
`136`	`136`	`build_string_prefix: None,`
	`137`	`+ secrets: std::collections::BTreeSet::new(),`
`137`	`138`	`}`
`138`	`139`	`}`
`139`	`140`
Original file line number	Diff line number	Diff line change
`@@ -216,8 +216,9 @@ impl GenerateRecipe for RosGenerator {`
`216`	`216`	`}`
`217`	`217`	`}`
`218`	`218`
`219`		`- generated_recipe.recipe.build.script =`
`220`		`- Script::from_content(build_script_content).with_env(script_env);`
	`219`	`+ generated_recipe.recipe.build.script = Script::from_content(build_script_content)`
	`220`	`+ .with_env(script_env)`
	`221`	`+ .with_secrets(model.secrets.iter().cloned().collect());`
`221`	`222`
`222`	`223`	`Ok(generated_recipe)`
`223`	`224`	`}`
Original file line number	Diff line number	Diff line change
`@@ -226,6 +226,7 @@ pub fn to_project_model_v1(`
`226`	`226`	`repository: manifest.package.repository.clone(),`
`227`	`227`	`documentation: manifest.package.documentation.clone(),`
`228`	`228`	`targets: Some(to_targets_v1(&manifest.targets, channel_config)?),`
	`229`	`+ secrets: manifest.build.secrets.clone(),`
`229`	`230`	`};`
`230`	`231`	`Ok(project)`
`231`	`232`	`}`
Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,12 @@ pub struct PackageBuild {`
`38`	`38`
`39`	`39`	`/// The build number configured by the user.`
`40`	`40`	`pub build_number: Option<u64>,`
	`41`	`+`
	`42`	`+ /// Names of environment variables to expose as secrets to the build`
	`43`	`+ /// script. Values are looked up at build time from the host environment by`
	`44`	`+ /// the build backend; only the names live in the manifest. Stored as a`
	`45`	`+ /// set since order is not observable.`
	`46`	`+ pub secrets: std::collections::BTreeSet<String>,`
`41`	`47`	`}`
`42`	`48`
`43`	`49`	`impl PackageBuild {`
`@@ -52,6 +58,7 @@ impl PackageBuild {`
`52`	`58`	`target_config: None,`
`53`	`59`	`build_string_prefix: None,`
`54`	`60`	`build_number: None,`
	`61`	`+ secrets: std::collections::BTreeSet::new(),`
`55`	`62`	`}`
`56`	`63`	`}`
`57`	`64`	`}`